Security Deployment Considerations
Before defining a firewall supported configuration, refer to the following
deployment guidelines to ensure the configuration is optimally effective:
- Firewalls implement access control policies. So if you do not have an idea of what
kind of access to allow or deny, a firewall is of little value.
- It's important to recognize the firewall's configuration is a mechanism for
enforcing a network access policy.
- Firewalls cannot protect against tunneling over application protocols to poorly
secured wireless clients.
- Firewalls should be deployed on WLANs implementing weak encryption to minimize
access to trusted networks and hosts in the event the WLAN is compromised.
- Firewalls should be enabled when providing Captive Portal guest access. Firewalls
should be applied to Captive Portal enabled WLANs to prevent guest user traffic from
being routed to trusted networks and hosts.
- Before configuring WIPS support, refer to the following deployment guidelines to
ensure the configuration is optimally effective:
- WIPS is best utilized when deployed in conjunction with a corporate or enterprise
wireless security policy. Since an organization‘s security goals vary, the security
policy should document site specific concerns. The WIPS system can then be modified
to support and enforce these additional security policies
- WIPS reporting tools can minimize dedicated administration time. Vulnerability and
activity reports should automatically run and be distributed to the appropriate
administrators. These reports should highlight areas to be to investigated and
minimize the need for network monitoring.
- It is important to keep your WIPS system firmware and software up to date. A
quarterly system audit can ensure firmware and software versions are current.
- Only a trained wireless network administrator can determine the criteria used to
authorize or ignore devices. You may want to consider your organization‘s overall
security policy and your tolerance for risk versus users‘ need for network access.
Some questions that may be useful in deciding how to classify a device are:
- Does the device conform to any vendor requirements you have?
- What is the signal strength of the device? Is it likely the device is outside your
physical radio coverage area?
- Is the detected access point properly configured according to your organization‘s
security policies?
- Trusted and known access points should be added to an sanctioned AP list. This will
minimize the number of unsanctioned AP alarms received.